Mac Forensic Investigation

MacForensicLab

MacForensicsLab is the most powerful and cost-effective forensic tool on the market specifically designed to meet the demands of modern law enforcement and digital forensic investigators. In a world of limited resources and increasing demands, you may want more than one tool in your investigative toolbox, but you only need one; MacForensicsLab.

MacForensicsLab latest version features a totally redesigned and streamlined interface along with many other changes and imporvements. Now examiners can run their examinations with fewer clicks and process suspect data even faster than before. Rewritten to take full advantage of the power of Mac OS X, MacForensicsLab put the power in the examiner’s hands.

Mac System Forensic Investigation

Evidentiary integrity is maintained and protected with the utmost care.

Fast, fault tolerant, verifiable acquisitions produce a reliable bit-for-bit exact replica of the original media, while maximizing data recovery, even with corrupted media. These forensic images are created with integrated segmenting and granular hashing. Inline processing allows for the creation of dual output images and associated hash files, reducing the time the forensic examiner spends in the data acquisition phase.

Featuring the most powerful data recovery engine on the market.

MacForensicsLab allows forensics professionals to find and recover deleted and embedded files – then preview and recover them. Even swap space and unallocated space can be explored for evidence. MacForensicsLab finds the evidence you need.

A multi-threaded application

Optimized for use with either industry standard SQL database servers or the built-in database engine enables investigative collaboration by allowing investigators to simultaneously access and process any given case. Logs are kept of every action performed, every item found, and freeform notes can be taken during the case to tie them all together with your thoughts during the process. These can then be exported in standardized, customizable, easy-to-share, template-driven HTML reports at any stage of the investigation. 64-bit functionality takes advantage of the newest Intel processor powered Macs for the fastest forensic investigations possible.

Advanced image analysis technologies

Allows thumbnails and previews of graphic images to be automatically filtered by skin tone content, image, and file sizes, to quickly expose suspicious material. This greatly reduces the time spent manually processing the tens of thousands of graphic images associated with every forensic examination. Files of interest can be bookmarked with a simple key stroke for more in depth analysis.

Keyword analysis and cataloging is performed in multiple languages and includes MD5, SHA-1, and SHA-256 checksum calculations. This allows the investigator to seek out items of interest across entire devices, within folders of files, and directly inside specific files. The catalog function has pattern matching for hash lists and searches for possible SSN numbers and Credit Card numbers.

Powerful auditing of the user’s preferences and settings greatly reduces the time spent by the investigator collecting and collating information of evidentiary value. This enhances and speeds up the process of tying the suspect to the machine or specific actions, into a single click of the mouse. Investigators can use this function to tell what the suspect has been using and doing on their system, including Wi-Fi connections, iPods, web history and bookmarks, and general system preferences.

Extremely fast and verifiable media acquisition and data recovery.

Multiple operations/tasks can be done at the same time.

Perfect acquisition of devices that retain every detail of the original media.

The most powerful data recovery engine on the market increases the chance of recovering data, even when the drive is damaged.

Perform forensic acquisition and analysis on drives from Mac, MS Windows, Linux, and other operating systems.

Highly detailed logs to provide the investigator with as much information as possible when reporting.

MacLockPick

The need for timely identification, interpretation and meaningful analysis of electronic media has never been more critical. The ever-changing threat environment presented by cyber criminals and technological advances has required modern investigative processes to include on scene forensic triage. Investigators are faced with the challenges of capturing volatile data, preserving potential evidence and maintaining the integrity of the electronic crime scene while ensuring the data remains viable and accessible for further investigative efforts. The success of these operations is measured in minutes not days.

Mac System Triage Software

MacLockPick represents a new generation of forensic triage aimed at providing IT professionals, eDiscovery experts, and law enforcement officers a single tool that transcends the concerns of a particular operating systems. Whether the suspect (or the investigator) uses Microsoft Windows,Mac OS X or Linux, you can perform your field triage in the same way using the same tool.

MacLockPick for Microsoft Windows, Apple Mac OS X, and Linux is a fully cross platform tool that allows digital forensics professionals and eDiscovery experts to perform field triage on live computers running a wide variety of operating systems. Similarly, once completed, the results of the field triage operation can analyzed on a wide variety of computers.

Comprehensive forensic applications such as MacForensicsLab focus on the analysis of static data. However, the need to capture live data has become paramount in an environment wrought with forensic pitfalls such as encryption, malicious running processes and networked storage pools. In cases such as child abductions, pedophiles, missing or exploited persons, time is critical. In these types of cases, investigators dealing with the suspect or crime scene need leads quickly; sometimes this is quite literally difference between life and death for the victim.

MacLockPick is an indispensable tool designed for first responders and law enforcement professionals performing live forensic triage on most computer systems. The solution is based on a USB Flash drive that is inserted into a suspect’s computer that is running (or sleeping). Once the MacLockPick software is run, it will extract the requisite data providing the examiner fast access to the suspect’s critical information that may otherwise be rendered unreadable by modern encryption programs, hardware malfunctions, or simply powering the system down. MacLockPick is minimally evasive, providing results that can hold up in a court of law.

What data is captured from the suspect’s computer

MacLockPick is designed to capture information that might be considered valuable to an IT manager, an E-Discovery professional, or a digital forensics law enforcement officer. Such information includes details about the system, activities of the user of that system, and the online history of that user.

Through the use of a plugin architecture MacLockPick can be configured to collect almost any kind of information depending on the needs of the investigator. This information might include files of a specific type, chat logs, phone records, browser history, passwords, accounts, and system state data.

Plugins and plugins types

MacLockPick is built on a plugin architecture in order to allow the investigator greater control over which processes are run in the field. These plugins are broken into 5 different categories;

Built-in Plugins – pre-configured digital investigative tools. SubRosaSoft.com Inc. has included many built-in plugins that are shipped with MacLockPick. These plugins gather data from the suspect’s system and deliver that information to the logs.

Copy Files or Folders – logical acquisition with hashing in MD5, SHA1, and SHA256. Investigators can pre-configure MacLockPick to make copies of specified files and folders on a suspect’s system. Target data can be specified relative to the root of the system or relative to the user’s home folder. Filters can also be included so that only files of a specified type or name are copied.

Terminal Commands – captured output from the command-line on the suspect’s computer. Many investigations require the execution of command-line tools on a system. MacLockPick can be configured to transparently open a shell environment, execute the specified command (with or without parameters), and then record the output to the logs.

External Commands – execution of third party command-line tools programs. The open source community, as well as digital forensics developers, have created a wide variety of tools that are useful to field investigators. MacLockPick allows the investigator to configure these tools to be included in the triage process and for the output from these tools to be captured in the MacLockPick logs.

Built-in plugins

The following is a partial list of the plugins currently being shipped with MacLockPick. This list is far from complete and is here as an example of the inherent product capabilities.

NTLM and Lan Man Password Grabber – This plugin utilizes pwdump6 (unmodified) from fizzgig. pwdump is the name of various Windows programs that output the LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM). The hashes extracted can be used to extract the passwords using brute force, dictionary, or rainbow table attacks once the MacLockPick logs have been returned to the lab for further analysis.

Apple Keychain Extractor – The keychain extractor takes advantage of the default state of the central password repository on Apple Mac OS X. All passwords stored in the keychain are extracted and detailed in the log files.

Apple iPhone – Gather information stored by the Apple iPhone and other devices using the Apple Mobile Sync system on Windows and Mac OS X computers. Information captured includes (but is not limited to) the following;

Incoming and outgoing SMS messages including the phone number or name of the third party, the message content, and the date and time of the message.

IMEI – The International Mobile Equipment Identity is a number unique to every GSM and UMTS mobile phone as well as some satellite phones. It is usually found printed on the phone underneath the battery. The IMEI number is used by the GSM network to identify valid devices.

TMSI – The “Temporary Mobile Subscriber Identity” is the identity that is most commonly sent between the mobile phone and the network. TMSI is randomly assigned by the VLR to every mobile in the area, the moment it is switched on. The number is local to a location area, and so it has to be updated, each time the mobile moves to a new geographical area.

IMSI – An International Mobile Subscriber Identity is a unique number associated with all GSM and UMTS network mobile phone users. It is stored in the SIM inside the phone and is sent by the phone to the network. It is also used to acquire other details of the mobile in the Home Location Register (HLR) or as locally copied in the Visitor Location Register. In order to avoid the subscriber being identified and tracked by eavesdroppers on the radio interface, the IMSI is sent as rarely as possible and a randomly-generated TMSI is sent instead.

International Roaming Edge Status – Whether the phone is currently set to roam status.

Favorites – Speed dial entries including the name and phone number.

Safari State Documents – Pages currently open in the browser.

Safari History – Pages viewed in the browser.

Safari Bookmarks – All pages book marked.

Notes recorded in the notes program.

Address Book contacts, including all recorded details for each contact.

Mail Accounts setup for synchronization.

The iPhone is an Internet-enabled multimedia mobile phone designed and marketed by Apple Inc. It has a multi-touch screen with virtual keyboard and buttons, but a minimal amount of hardware input. The iPhone’s functions include those of a camera phone and portable media player (equivalent to the iPod) in addition to text messaging and visual voicemail. It also offers Internet services including e-mail, web browsing, and local Wi-Fi connectivity. The first generation phone hardware was quad-band GSM with EDGE; the second and third generations use UMTS and HSDPA.

Clipboard – Capture any text contents or graphics found in the clipboard. Any text that is found will be stored in the logs. Any graphics will be converted to jpeg form and saved to the output log folder.

Valuable information is often accidentally left in the clipboard by the suspect.

Firefox – Create a summary of online activity of the suspect when/if they use Firefox version 2 and/or 3. Information captured includes (but is not limited to) the following;

Bookmarks – All pages that have been marked as a favorite or shortcut.

History – Details on all pages visited.

Cookies – Data items stored by web servers for future reference.

Downloads – URL and file name of files that have been downloaded.

Auto fill – Data strings used to auto complete forms, this includes addresses and often purchasing information used for online purchases.

Mozilla Firefox is a web browser descended from the Mozilla Application Suite, managed by the Mozilla Corporation. Firefox has achieved recorded usage share of web browsers as of late, making it the second-most popular browser in current use worldwide, after Internet Explorer.

Internet Explorer – Create a summary of online activity of the suspect when/if they use Internet Explorer. Information captured includes (but is not limited to) the following;

Bookmarks – All pages that have been marked as a favorite or shortcut.

History – Details on all pages visited.

Cookies – Data items stored by web servers for future reference.

Downloads – URL and file name of files that have been downloaded.

Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems starting in 1995. It has been the most widely used web browser since 1999, attaining a peak of about 95% usage share during 2002 and 2003 with IE5 and 6 but steadily declining since.

Network – An analysis of the network activity on the suspect’s computer. This information includes ARP tables, interfaces, and netstat activity.

ARP converts an Internet Protocol (IP) address to its corresponding physical network address. ARP is a low-level network protocol, operating at Layer 2 of the OSI model. From a forensics point of view the ARP table shows what computers were connected to the suspect’s machine on their local area network at the time of analysis.

Interface tables describe what interfaces are in use on the system and what the individual MAC address is for each of them. The Media Access Control (MAC) address is a quasi-unique identifier assigned to most network adapters or network interface cards (NICs) by the manufacturer for identification. If assigned by the manufacturer, a MAC address usually encodes the manufacturer’s registered identification number.

Netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. It is available on Unix, Unix-like, and Windows NT-based operating systems. It is used for finding problems in the network and to determine the amount of traffic on the network as a performance measurement.

Processes – Use the OS to list all active applications running on the suspect’s computer at the time of analysis. This module is important in determining if malware is present as well as any active tools used by the suspect.

Note: This will not show background and system processes. OS specific plugins are included for this purpose.

Apple Safari – Create a summary of online activity of the suspect when/if they use Safari. Information captured includes (but is not limited to) the following;

Bookmarks – All pages that have been marked as a favorite or shortcut.

History – Details on all pages visited.

Cookies – Data items stored by web servers for future reference.

Downloads – URL and file name of files that have been downloaded.

Safari is a web browser developed by Apple Inc. and included in Mac OS X. It was first released as a public beta on January 7, 2003, and is the default browser in Mac OS X v10.3 and later. It is also the native browser on the Apple iPhone and iPod touch. Safari for Windows was released on June 11, 2007. Windows XP, Windows Vista and Windows 7 are supported.

Screen shot – Capture and save a screen shot of the main screen on the suspect’s system. The plugin will temporarily hide MacLockPick during the process and save the file to your output folder along side the captured logs database.

Skype – Create transcripts of communications the suspect has made using Skype. Information captured includes (but is not limited to) the following;

VoIP calls, including the name or phone number.

Instant messages including the name of the third party, content of the message, and the date and time of the message.

SMS messages, including the phone number of the third party, and content of the message.

File Transfers.

Buddy list and details including addresses imported from other systems by Skype.

Skype is a software program that allows users to make telephone calls over the Internet. Calls to other users of the service are free of charge, while calls to land lines and cell phones can be made for a fee. Additional features include instant messaging, file transfer and video conferencing.

System Information – Create a profile of the hardware in use by the suspect. Information captured includes (but is not limited to) the following;

User Name

Computer Name

Operating System

System Serial number (where available)

Processor

RAM

Model

UUID

Time Zone

Country Code

USB Flash Drive History – USB thumb drives (flash drives) have become a very popular tool for transferring files from computer to computer. They’re small, portable, and often contain evidence that can be helpful to an investigation.

When examining the Windows registry, one of the interesting things to look at are the entries where devices have been attached, especially USB devices, and grab the information regarding the device manufacturer and serial number if it has one.

Windows Registry – This module will extract all settings from the registry on Microsoft Windows systems.The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.